I panicked over the Defacement Challenge scare
and all I got was this lousy defacement.


See:   The hilarious Advisory by the New York Department of Cyber-Security
See also:   The s00p4h s3kr3t Üb3r-l33t FEDCIRC Advisory   (dated 2003-07-01)
See also:   Talking Points for the Media   (comments from real security folks)


THE FUD & HYPE REALITY CHECK
Headlines generated over the so-called "Defacement Challenge" which all the major media outlets have covered this past week.
(circa July 3rd, 2003)

Reading the news of late is like witnessing all security issues being reduced to a "Rocking Chair" modality. Everyone's put a helluva lot of energy and effort into this mess, but we are still going nowhere fast!
Talking Points for the Media (drafted by several well-known and published security professionals)
July 3rd, 2003

  • Web attacks occur at all hours of the day and night. If it's convienient to attack, a scriptkiddy will...and they won't announce it. We should be more concerned with the serious attackers who do not broadcast their intentions.
  • The "prize" is 500 megs of online storage space? I have a decade-old PC with more hard disk space than they're allegedly "awarding" in this contest. Hell, my MP3 player has more than 40 times that amount of storage. Besides, any cracker with a modicum of "skill" could easily amass far more storage using systems they've breached.  Finally, who in their right mind would want to risk getting caught for that paltry reward?
  • Symantec (owner of SecurityFocus) has not issued an alert on this matter; that alone shows how seriously they view this "threat."
  • Massive attacks on the Internet are like conspiracy theories: those that are predicted don't occur and those that occur were never predicted.  To illustrate:  in the immediate wake of 9/11/2001, NIPC held a much-publicized forum about looming threats to the Internet. None of that grandstanding did ANYTHING to predict or blunt the impact of Nimda which occurred a mere six days later.  The same is true for the massive Distributed Denial of Service (DDoS) that struck 6 of the 13 root servers a few months ago.
  • Should we be concerned about our system security this weekend?   YES! But no more so than any other weekend or workday. There's no excuse for not having properly-configured, secured, and administered systems 24/7/365.  Scrambling to patch systems in advance of a "threat" like this is foolhardy and not the way to enact meaningful security.
  • The guidance issued in the New York Cybersecurity Alert mentioned above is a joke. The recommendations are not anything beyond "good security measures" that should be taken each and every day by competent system administrators.  The fact this organization released such generic guidance tells us that people still don't implement lasting IT Security...and if they did, such "threats" of web defacements wouldn't cause the mass hysteria it has over the past several days.


0WN3D BY ISS, B4BY!@#$%^
GR33TZ TO: TR34CH3RY UNL1M1T3D, 1NF0W4RR10R, R3ZN0R::D0T::C0M, UN1XG33KZ, 4TTR1T10N, 4ND 0UR H0M13Z 4T N1PC!@#



[Okay, joke's over...]